Emre C. Sezer
Peng Ning
ABSTRACT
Software vulnerabilities have been the main contributing factor to the Internet security problems such as fast spreading worms. Among these software vulnerabilities, memory corruption vulnerabilities such as buffer overflow and format string bugs have been the most common ones exploited by network-based attacks. Many security countermeasures (e.g., patching, automatic signature generation for intrusion detection systems) require vulnerability information to function correctly. However, despite many years of research, automatically identifying unknown software vulnerabilities still remains an open problem.
In this paper, we present the development of a security debugging tool named MemSherlock, which can automatically identify unknown memory corruption vulnerabilities upon the detection of malicious payloads that exploit such vulnerabilities. MemSherlock provides critical information for unknown memory corruption vulnerabilities, including (1) the corruption point in the source code (i.e., the statement that allows the exploitation of memory corruption vulnerability), (2) the slice of source code that helps the malicious input to reach the corruption point, and (3) the description of how the malicious input exploits the unknown vulnerability. We evaluate MemSherlock with a set of 11 real-world applications that have buffer overflow, heap overflow, and format string vulnerabilities. The evaluation results indicate that MemSherlock is a useful tool to facilitate the automatic vulnerability analysis process.
- D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006. Google Scholar
Digital Library
- H. Chen, D. Dean, and D. Wagner. Model checking one million lines of c code. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS), February 2004.Google Scholar
- H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02), November 2002. Google ScholarDigital Library
- S. Chen, J. Xu, and E. C. Sezer. Non-control-data attacks are realistic threats. In Proceedings of 14th USENIX Security Symposium, 2005. Google ScholarDigital Library
- CodeSurfer. http://www.grammatech.com/products/codesurfer/.Google Scholar
- J. R. Crandall and F. T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th Annual IEEE/ACM International Symposium on Microarchitecture, pages 221--232, December 2004. Google ScholarDigital Library
- J. R. Crandall, Z. Su, S. F. Wu, and F. T. Chong. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 235--248, 2005. Google ScholarDigital Library
- H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, May 2004.Google ScholarCross Ref
- D. S. James Newsome, David Brumley. Vulnerability-specific execution filtering for exploit prevention on commodity software. In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS '06), Feb 2006.Google Scholar
- C. Kil, J. Jun, C. Bookholt, J. Xu, and P. Ning. Address space layout permutation (ASLP): Towards fine-grained randomization of commodity software. In Proceedings of the 22st Annual Computer Security Applications Conference (ACSAC '06), pages 339--348, December 2006. Google ScholarDigital Library
- H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th USENIX Security Symposium, August 2004. Google ScholarDigital Library
- C. Kreibich and J. Crowcroft. Honeycomb - creating intrusion detection signatures using honeypots. In Proceedings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.Google Scholar
- W. Landi. Undecidability of static analysis. ACM Letters on Programming Languages and Systems, 1(4):323--337, December 1992. Google ScholarDigital Library
- D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In Proceedings of the 10th USENIX Security Symposium, August 2001. Google ScholarDigital Library
- Z. Liang and R. Sekar. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 213--222, 2005. Google ScholarDigital Library
- Z. Liang and R. Sekar. Fast and automated generation of attack signatures: A basis for building self-protecting servers. In Proceedings of 12th ACM Conference on Computer and Communication Security (CCS '05), pages 213--222, 2005. Google ScholarDigital Library
- G. Necula, J. Condit, M. Harren, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. ACM Transaction on Programming Languages and Systems, 27(3):477--526, May 2005. Google ScholarDigital Library
- G. Necula, S. McPeak, and W. Weimer. CCured: Type-safe retrofitting of legacy software. In Proceedings of the 29th ACM SIGPLAN-SIGACT symposium on Principles of Programming Languages, pages 128--139, 2002. Google ScholarDigital Library
- N. Nethercote. Dynamic binary analysis and instrumentation, 2004. valgrind.org/docs/phd2004.pdf.Google Scholar
- J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of The 12th Annual Network and Distributed System Security Symposium (NDSS '05), February 2005.Google Scholar
- PaX Team. http://pax.grsecurity.net/docs/aslr.txt.Google Scholar
- G. Ramalingam. The undecidability of aliasing. ACM Transactions on Programming Languages and Systems, 16(5):1467--1471, September 1994. Google ScholarDigital Library
- S. Sidiroglou, M. Locasto, S. Boyd, and A. Keromytis. Building a reactive immune system for software services. In Proceedings of USENIX Annual Technical Conference, pages 149--161, April 2005. Google ScholarDigital Library
- S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), December 2004. Google ScholarDigital Library
- A. Smirnov and T. Chiueh. DIRA: Automatic detection, identification, and repair of control-hijacking attacks. In Proceedings of The 12th Annual Network and Distributed System Security Symposium (NDSS '05), February 2005.Google Scholar
- G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In CCS '04: Proceedings of the 11th ACM conference on Computer and communications security, pages 21--30, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
- H. Wang, C. Guo, D. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of ACM SIGCOMM, August 2004. Google ScholarDigital Library
- J. Xu, Z. Kalbarczyk, and R. K. Iyer. Transparent runtime randomization for security. In Proceedings of 22nd Symposium on Reliable Distributed Systems - SRDS 2003, pages 260--269, 2003. IEEE Computer Society, Oct.Google Scholar
- J. Xu, P. Ning, C. Kil, Y Zhai, and C. Bookhold. Automatic diagnosis and response to memory corruption vulnerabilities. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 223--234, 2005. Google ScholarDigital Library
- P. Zhou, W. Liu, L. Fei, S. Lu, F. Qin, Y. Zhou, S. Midkiff, and J. Torrellas. Accmon: Automatically detecting memory-related bugs via program counter-based invariants. In MICRO 37: Proceedings of the 37th annual International Symposium on Microarchitecture, pages 269--280, Washington, DC, USA, 2004. IEEE Computer Society. Google ScholarDigital Library
- P. Zhou, F. Qin, W. Liu, Y. Zhou, and J. Torrellas. iWatcher: Efficient architectural support for software debugging. In Proceedings of the 31st International Symposium on Computer Architecture (ISCA), 2004. Google ScholarDigital Library
Index Terms
- Memsherlock: an automated debugger for unknown memory corruption vulnerabilities
Recommendations
CREDAL: Towards Locating a Memory Corruption Vulnerability with Your Core Dump
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityAfter a program has crashed and terminated abnormally, it typically leaves behind a snapshot of its crashing state in the form of a core dump. While a core dump carries a large amount of information, which has long been used for software debugging, it ...
Measuring and ranking attacks based on vulnerability analysis
As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the ...
Comments